Re: Just goes to show..
"...Honestly, this is EXACTLY the sort of snidey, malinformed comment that infests the Reg's comments sections and makes me hate reading them.."
Well first off I've spent most of my career in and out, and around, what we'd now call EUC - so long in fact, from way before it was called such a thing.
I've been involved in some massive rollouts and upgrades over the years and Microsoft have a habit of making things more difficult than they should be.
Worked with MECM lately? The interface is a mess and has been for a long time. Deployment tools are increasingly cluttered and difficult to untangle. Co-management *should* help but tends to add a large overhead on with diminishing returns that mean group policies are still required. A support mix that can be hell to unravel.
Why not just provide a mechanism to import group policies, convert them and apply them*?
During lockdown I was involved in a refresh for a council that had begun some time before C19 so we had to move it to a remote deployment.
It was painful for a number of reasons. But, as part of the programme, said council had bought around 4,000 new laptops (purchased mid-late 2019) to support Windows 10. The vast majority of them won't be supported by Windows 11 despite being core i5 and i7 devices with plenty of RAM, SSD's etc.
Now, if Microsoft are truly stating that the TPM version is that important, a) there would be no mechanism to bypass it and b) they would put the requirement into Windows 10.
Since they don't do either of these things, it makes it arbitrary and clear to any idiot that it is a strategy designed to keep the uptick of laptop sales we saw during lockdown going for their partners and actually, the end result is the exact opposite - places will milk out their investments into Windows 10 and the devices it runs on for as long as they possibly can, even if that's beyond their usual refresh windows. But then lets also not forget that Windows 10 was the last version you'd ever buy and it would be rolling updates.
Likewise - what is the justification for not allowing me to have a local user account? Let's look at Intune for a second - I can create a deployment profile that creates a local user. I can even make that user non-administrative (yay!). If Microsoft believed that any kind of online account was a necessity then they would insist on an offline domain join and a domain user being used, but they do neither.
Still think my comments are snidey and malinformed?
*Something they've been promising for a long time though I will confess I haven't checked their progress on this recently, the last time I did it was still unavailable. You could do a kind of group policy import that would tell you if the settings could be done in Intune or not but not actually import them to use).